Why Wall Street is worried about state and local government cybersecurity

Wall Street and the insurance markets are worried about the cybersecurity risks that state and local governments face, including a cascade of ransomware attacks targeting a public sector that is still navigating how to manage more and more services online during the COVID-19 pandemic. 

“The landscape is changing quite rapidly right now, from the cybersecurity insurance and the threat landscape side, which leaves local governments in the middle dealing with issues they traditionally haven’t had to deal with,” Omid Rahmani, Associate Director for US Public Finance at credit rating agency Fitch, told The Record. On Tuesday, Fitch warned that a ransomware attack affecting a human resources company used by many public finance entities could significantly impact municipalities, transportation departments, water supply organizations, and public university systems.

Offices that previously provided a limited set of local services are now finding themselves targeted by far flung criminal or nation-state actors. Those attacks are, in turn, pushing up the prices of cybersecurity insurance—the main line of defense for many state and local governments.

Results of a survey of 150 municipal bond credit analysts and specialists (excluding those at rating agencies) carried out this month by HillTop Securities shows digital risks are increasingly on investors' minds—and practically none of those investors think state and local governments are prepared.

Just 6% of respondents said they thought such governments are “on their way to being prepared” for cyber attacks, while zero said the governments were “prepared” or “very prepared.”

However, many cited cybersecurity as a major factor in the current municipal bond market. 

Twenty-nine percent of those surveyed included cybersecurity among the top five issues affecting that market today, compared to 12% who included the topic as a top concern in a similar survey released by the firm in April of 2020. 

“We, as a rating agency, have obviously seen an uptick in the intensity and number of attacks,” Rahmani said. 

After a ransomware attack hit the city of Atlanta in 2018, many local governments turned to cybersecurity insurance to outsource their risk, according to Rahmani. 

“It became a main lynchpin for the strategy for small and medium sized governments,” he said. 

Ninety percent of the more than 75 local government IT executives surveyed by the Public Technology Institute, which is associated with IT trade association and professional certification nonprofit CompTIA, in August and September of this year said their organizations had cybersecurity insurance. 

But that market increasingly looks unsustainable, or at least unattractive, to many insurers. 

Last month, Fitch reported that cyber insurers “paid out about 73% of premiums collected last year, a dramatic rise from about 34% in 2018.” 

These changes have made major insurers, such as AIG, raise rates and cut coverage. 

In some areas, local governments have formed self-insurance pools that address cybersecurity. But that alternative is facing many of the same struggles, just at a slight lag, Rahmani said. 

“At some point they are going to have to increase their costs too. It’s not like the attack surface is decreasing,” he added.